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ICO consultation on the draft updated data sharing 
code of practice 


Data sharing brings important benefits to organisations and individuals, 
making our lives easier and helping to deliver efficient services. 


It is important, however, that organisations which share personal data 
have high data protection standards, sharing data in ways that are fair, 
transparent and accountable. We also want organisations to be confident 
when dealing with data sharing matters, so individuals can be confident 
their data has been shared securely and responsibly. 


As required by the Data Protection Act 2018, we are working on updating 
our data sharing code of practice, which was published in 2011. We are 
now seeking your views on the draft updated code. 


The draft updated code explains and advises on changes to data 
protection legislation where these changes are relevant to data sharing. It 
addresses many aspects of the new legislation including transparency, 
lawful bases for processing, the new accountability principle and the 
requirement to record processing activities. 


The draft updated code continues to provide practical guidance in relation 
to data sharing and promotes good practice in the sharing of personal 
data. It also seeks to allay common concerns around data sharing. 


As well as legislative changes, the code deals with technical and other 
developments that have had an impact on data sharing since the 
publication of the last code in 2011. 


Before drafting the code, the Information Commissioner launched a call 
for views in August 2018. You can view a summary of the responses and 
some of the individual responses here. 


If you wish to make any comments not covered by the questions in the 
survey, or you have any general queries about the consultation, please 


email us at datasharingcode@ico.org.uk. 


Please send us your responses by Monday 9 September 2019. 


Privacy Statement 


For this consultation, we will publish all responses except for those where 
the respondent indicates that they are an individual acting in a private 
Capacity (e.g. a member of the public). All responses from organisations 
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and individuals responding in a professional capacity will be published. We 
will remove email addresses and telephone numbers from these 
responses; but apart from this, we will publish them in full. 


For more information about what we do with personal data please see our 
privacy notice. 


Questions 


Note: when commenting, please bear in mind that, on the whole, the 
code does not duplicate the content of existing guidance on particular 
data protection issues, but instead encourages the reader to refer to the 
most up to date guidance on the ICO website. 


Q1 Does the updated code adequately explain and advise on the new 
aspects of data protection legislation which are relevant to data 
sharing? 


O Yes 


X No 


Q2 If not, please specify where improvements could be made. 


e While the draft code of practice has covered most of the new 
aspects of the current data protection framework, the following 
issues should be further highlighted, either by providing additional 
explanation in the code or by referring to other relevant ICO 
documents: 


e (1) Conditions of valid consent (Article 7 GDPR), especially on 
cases where consent is not valid for data sharing that is not 
necessary for the performance of a contract (Article 7(4)). 


e (2) Separate or joint controllers: While the draft code has 
emphasised the necessity of a data sharing agreement as required 
by Article 26 GDPR, it should also clarify when controllers are 
acting separately or jointly, as this would have significant 
implications for clear definition of shared responsibilities, as well 
as joint liabilities. 
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e (3) The right to data portability (Article 20): Specific reference 
should be made to the relevant section of the ICO’s Guide to the 
GDPR on the right to data portability, as this represents a new 
right of particular relevance for the design and implementation of 
data sharing systems. 


Q3 Does the draft code cover the right issues about data sharing? 


Yes 


O No 


Q4 ___siIf no, what other issues would you like to be covered in it? 


Q5 Does the draft code contain the right level of detail? 


Yes 


O No 


Q6 If no, in what areas should there be more detail within the draft 
code? 
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Q7 


Q8 


Has the draft code sufficiently addressed new areas or 
developments in data protection that are having an impact on your 
organisation’s data sharing practices? 


O Yes 


Xx] No 


If no, please specify what areas are not being addressed, or not 
being addressed in enough detail 


Q9 


Q10 


Please see response to Q12 below. 


Does the draft code provide enough clarity on good practice in data 
sharing? 


O Yes 


XK No 


If no, please indicate the section(s) of the draft code which could be 
improved, and what can be done to make the section(s) clearer. 
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We fully understand the ICO’s statutory duty to prepare a code of 
practice on data sharing, which would inevitably have a large 
amount of overlaps with its other guidance documents (notably, 
the Guide to the GDPR). As a result, we agree the code should 
primarily serve to encourage the reader to consult the relevant 
documents that specifically address the issues concerned. 


However, the draft code often fails to specify a particular 
document, not to mention pinpointing a specific section within 
that document, and instead, only provides a general statement 
“For more details, you should refer to the ICO website at 
www.ico.org.uk.” Although making precise references to other 
documents may involve additional work for updating the code, 
this would significantly enhance the usability of the code. 


Qi1 


Q12 


Does the draft code strike the right balance between recognising 
the benefits of sharing data and the need to protect it? 


O Yes 


Xx] No 


If no, in what way does the draft code fail to strike this balance? 


We welcome the ICO’s general approach in the draft code to 
reconcile the benefits of sharing data and the need to protect 
personal data. What should be further stressed, however, is the 
promise that emerging technologies hold in promoting these ends. 
Such technologies include edge computing and personal 
information management systems (PIMS), and the duties for data 
controllers to consider such possibilities. 


More generally, while the draft code has repeatedly encouraged 
data controllers to carefully consider whether data sharing is 
necessary and how to share data fairly, the ICO should also point 
out alternative, privacy-preserving models of utilising personal 
data. One such model is characterised by allowing a data 
controller to offer software (“an app”), that can access personal 
data from another controller, but where the data is only stored 
and analysed on the user’s device and no data is transferred to 
the former’s server. This model shares some underlying ideas with 
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“data trusts” as highlighted by the draft code but features a 
different technical approach. 


Our ongoing research project, Databox,! has proved this approach 
is both technically and commercially feasible in an IoT setting, and 
we do not see any reason this model cannot be followed in other 
data sharing scenarios (e.g. media). 


Q13 


Q14 


Does the draft code cover case studies or data sharing scenarios 
relevant to your organisation? 


O Yes 


Xx] No 


Please provide any further comments or suggestions you may have 
about the draft code. 


There are two areas of intense data sharing that we find 
particularly important but unfortunately not covered by the draft 
code: 


(1) Internet of Things (IoT): As automated exchange and sharing 
of data collected with smart home devices are becoming 
increasingly commonplace, there should be further guidance on 
best practices for data controllers (manufacturers, software 
developers, third-party service providers) to fulfil their data 
protection obligations. Importantly, in many use cases data 
sharing between these organisations do not necessarily involve a 
formal legal arrangement but is simply made possible with 
technical protocols or standard architectures. Such routine data 
sharing may have significant implications for data subjects. 


(2) Online advertising: Following the ICO’s investigation into real- 
time bidding and adtech, it has become clear that the level of 
compliance with data protection law by the online marketing 
sector is highly questionable. Further clarification is thus needed 
particularly for smaller participants in the advertising ecosystem 
with regard to compliance with data protection law. We 
understand this might be covered in greater depth by the ICO’s 


1 https://www.horizon.ac.uk/project/databox/ 
2 For instance, see BBC Box: https://www.bbc.co.uk/rd/blog/2019-06-bbc-box-personal-data-privacy 
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upcoming Direct Marketing Code, but before the publication of 
such a code, it is crucial to also address online marketing from a 
data sharing perspective. 


Considering the increasing ubiquity of these two scenarios in both 
the online and offline world, and in the absence of comprehensive, 
up-to-date guidelines on these matters at the moment, we urge 
the ICO to consider addressing these two use cases at least briefly 
in the final version of the code, so as to highlight the importance 
of adhering to data protection principles in these contexts. 


Q15 


Q16 


To what extent do you agree that the draft code is clear and easy 
o understand? 


cr 


Strongly agree 


XK oO 


Agree 
Neither agree nor disagree 


Disagree 


O ü Oo 


Strongly disagree 
Are you answering as: 


L] An individual acting in a private capacity (e.g. someone 
providing their views as a member of the public of the public) 


X An individual acting in a professional capacity 


[] On behalf of an organisation 


O Other 


Please specify the name of your organisation: 


po 


Thank you for taking the time to share your views and experience. 


